A lightweight and secure protocol for teleworking environment

The Internet has advanced so quickly that we can now access any service at any time, from any location. As a result of this capability, People around the world can benefit from the popularity and convenience of teleworking systems. Teleworking systems, however, are vulnerable to a range of attacks; as an unauthorized user enters the open communication line and compromises the whole system, that, in turn, creates a big hurdle for the teleworkers. Professional groups have presented numerous mechanisms for the security of teleworking systems to stop any harm, but there are still a lot of security issues like insider, stolen verifier, masquerade, replay, traceability and impersonation threats. In this paper, we propose that one of the security issues with teleworking systems is the lack of a secure authentication mechanism. In order to provide a secure teleworking environment, we have proposed a lightweight and secure protocol to authenticate all the participants and make the requisite services available in an efficient manner. The security analysis of the presented protocol has been investigated formally using the random oracle model (ROM) and ProVerif simulation and informally through illustration/attack discussions. Meanwhile, the performance metrics have been measured by considering computation and communication overheads. Upon comparing the proposed protocol with prior works, it has been demonstrated that our protocol is superior to its competitors. It is suitable for implementation because it achieved a 73% improvement in computation and 34% in communication costs.


Introduction
The facility provided to someone to accomplish their assigned responsibilities remotely through the Internet, e-mail, chat, video conferencing, or other platforms is called teleworking.The convenience of working in a remote work environment through online meetings, chat, video conferencing, instant messaging, multimedia document collaboration, and coordination among workers worldwide has drawn the attention of researchers into the field of telework [1].And for the last three to four years, particularly during the COVID-19 pandemic, there has been a marked increase.The incredible and dispersed organizational controls associated with telework inevitably lead to an increase in information security threats.For instance, workers who opt to work from home are unable to guarantee that their living quarters meet the bare minimum security standards.Moreover, some companies need to create a telework security strategy that lays out the expectations, limitations, and duties of teleworkers in terms of preventing and handling security events.Organizations may be more vulnerable to network security threats in these circumstances [2].Therefore, secure authentication and cross-verification of all participants are mandatory to ensure information security.
With the widespread developments in networking technology, unified communication, and the output produced by the Internet of Things (IoT), everyone may now do duties outside of the office with greater ease due to the Internet.To save time and money, competent and well-trained individuals may efficiently and flexibly provide services remotely from homes and other suitable locations.Their production will grow because of fewer workplace distractions, greater autonomy, and balanced work, saving businesses money and resources while requiring less real estate expenditure.However, this revolution in the business and technology sectors also creates constraints by forcing firms to develop and adapt, mimicking corporate trends and continuous improvement in their IT and communication systems.It aims to expand resources by developing the infrastructure to minimize human involvement [3], as show in the Fig 1.
Conversely, lessening the human element might enhance digital work administration; however, managing the technological safety of all modern traffic, whether inside or outside the company, is difficult as secure communication is one of the most important factors in ensuring data protection, accessibility, secrecy, and authenticity.Challenges with teleworking include monetary harm and data vulnerabilities that expose business data [4].
Conventional security methods that relied on a dynamic framework did not function well; teleworkers still need a safe and secure workplace even with powerful intrusion detection systems (IDS), firewalls, sophisticated encryption, anti-virus software, and other safety precautions [5].The increasing number of skilled workers and teleworking outside the business infrastructures using capabilities offered by internet service providers (ISP) make the security of transferred information even more important.Companies that let staff work on assignments and operations from home to increase efficiency have put their corporation's digital security at risk [6].Businesses must be aware of the dangers of leaving themselves open to various attacks.To ensure the presence of risks for all parties concerned, they must fortify themselves with resources and proactive strategies [7].

Motivation
By creating and maintaining a telework security plan, protecting conversations and data saved on client devices, and assuring that remote servers/peripherals are appropriately accessed, a robust authentication of all participating entities is needed that can guarantee secure communication-also, keeping in view the fundamental security features like privacy protection, remotely working in a secure environment, time management, non-physical work environments at home, and intrinsic and extrinsic workload, etc. motives us to design a security system (remote authentication of all the participants in a secure manner) for such a vulnerable environment.And how various genders adapt to a work-life balance without annoying the traditional family culture.The proposed security system could help companies to reorganize their structures with greater flexibility.

Challenges and contributions
Employees who work remotely may be isolated from one another, which could inhibit their ability to react to security threats.Furthermore, there may be dangers associated with needing to have control over how sensitive data is used, stored, and deleted across different applications.Insufficient data security in teleworking environments can lead to data breaches, where hackers can take advantage of weak authentication schemes and compromise the confidentiality, integrity and authorization of data.Weak authentication can create severe repercussions from such breaches, including malware attacks and harm to one's reputation (traceability and unprotected privacy).To combat these security challenges, some governments and corporations have restricted the physical involvement of their workers while keeping their output the same.These organizations have been responsible for providing a secure environment to their workers for working from home in the teleworking environment, which will rely heavily on the Internet.So far, this research offers a security mechanism for a teleworking environment that tackles the aforementioned major issues and challenges of security.In this regard, we have designed a strong authentication for the remote monitoring of teleworkers, which offers protection against unprotected connections.The main contributions of this research work are as follows: • To propose a lightweight and secure authentication protocol that can protect critical resources of the teleworking environment and mitigate all known threats due to giving unsecured external access to critical data/resources.
• To design a protocol with lightweight operations causing no delay in responding to security vulnerability and offering low computation and communication costs and robust security.
• To verify the security of the proposed authentication protocol both formally and informally by showing a delicate balance of security with performance, as these are opposing features often missing in previous protocols.
• To comparatively analyze it with state-of-the-art works in terms of security functionalities, performance metrics, communication, and computation overheads.
By successfully conducting the proposed research work, the following questions that a layperson can raise will be answered.Recently, people haven't felt secure due to the availability of strong adversaries-they didn't work remotely in a safe environment.
• How can a teleworking environment be secure?
• How can the attention of skilled people be catered to?
• How can it take less time for greater output?
• How fast can the work be done?
• How can energy-saving techniques for an organization be materialized?
The remaining paper is organized as in section 2, which contains the literature survey, we have also presented reviewe analysis of baseline scheme and cryptanalyzed it.The result of cryptanalysis shows that the scheme suffers from insider, bias, inaccuracy, and heavyweight; section 3 confesses the system model, threat models, design goals and key highlights; section 4 demonstrates the proposed authentication scheme, and in 5, we analyzed the security of the proposed protocol both formally using the random oracle model (ROM) and ProVerif simulation and informally using attacks' discussion; section 6 contains performance measurement of the proposed scheme, and in section 7, we have concluded the work.

Literature survey
Gupta et al. [8] identified drawbacks in an identity-based protocol used for remote working.They identified impersonation and insider attacks as the major loopholes.After that, [8] presented an improved ECC-based authentication scheme for mobile devices.However, [8] shows that the plan is lightweight and robust.Salami et al. [9] demonstrated that remote authentication could ensure any transaction's availability, non-repudiation, and integrity.And the online task is accomplished by many businesses through cloud-based computing.In this scenario, thousands of devices accessed cloud servers remotely through low-capacity mobile devices.Such devices are susceptible to potential threats and need rigorous attention.So far, they [9] have proposed a multi-level remote authentication protocol to prevent misusing exchanged information.Ahn et al. [10] argued that telework is a practical working platform that offers stakeholders a more efficient way of working.
It should be noted that the protection of exchanged information is much needed in this regard [11] have proposed near-field communication (NFC) based authentication protocol for teleworking.They claimed that the privacy of a remote user is a dire need of the day, and most of the work done by researchers has never tackled this major issue; the schemes available in the literature also failed to provide secure services to teleworkers.They [11] claimed that their security framework offers resistance to insider and impersonation threats and provides anonymity, untraceability, and forward secrecy.
With the rapid advancement in technology, which is becoming more mature, people's schedules are also getting more complicated.Right from dawn, their pursuit starts quite unaware of their immediate surroundings, including the household.They lock the door, hoping to control it from the workplace.This, however, is not immune to attacks from hackers who may easily rob the valuables.To overcome these impending threats, we have attempted to connect all valuables in the household so they can be safely monitored/ controlled via mobile.Jan et al. [12,13] proposed a remote user's security mechanism for alleviating desynchronization attacks.They claimed that in most protocols, the random numbers generated at one end couldn't update their corresponding peers, creating a desynchronization flaw.To tackle such an issue, they efficiently mitigated it by saying that if one participant sent a random number to other participants, and the central server failed to verify its randomness, it means that someone had tempered the message and considered it a potential threat, promptly discarded and terminate the process.And if, for example, one participant sent a random number to some other participants, and the A captured it from the open line, the communicating parties, in this regard, don't believe in single running because all the participants must first agree upon a single key, then start communication.Their scheme fantastically highlighted the desynchronization issue; however, their scheme's computation cost is much higher due to modular exponentiation.
A three-factor symmetric key-based scheme has been presented by Zeeshan et al. [14] for telecare medicine information systems.The protocol suggested by [14] has reliably provided mutual authentication and perfect forward secrecy.However, it is weak against man-in-themiddle and session key disclosure attacks.Amin et al. [15] proposed a security framework for IoT in distributed cloud computing.Their scheme offered mutual authentication and could withstand impersonation attacks; however, they suffered from traceability attacks.Chaudhry et al. [16] demonstrated a protocol for distributed cloud computing.Their protocol has many merits, including its resisted Ephemeral Secret Leakage (ESL) and impersonation attacks.Also, their scheme competently provides perfect forward secrecy and mutual authentication.However, they forgot to mention the revocation/reissue phase, which is vital to security.Wu et al. [17] and Jia et al. [18] proposed a scheme for edge computing working for remote users.Their presented scheme's security and privacy-related security protocol securely provides mutual authentication and withstands password guessing and brute force attacks.However, it failed to resist man-in-the-middle attacks and didn't provide perfect forward secrecy.
Gope et al. [19] proposed a security protocol for the remote monitoring of an entity using a wireless sensor network.They argued that remote user authentication in a resource-limited environment is a critical task, and such paramount security concerns can only be handled by first efficiently authenticating the user and then starting data transmission.However, due to using symmetric cryptography and encryption/decryption functions, their lightweight claim needs to be made more explicit.Encryption/decryption is unsuitable for such a resource-and bandwidth-limited environment.At the movement, Shafiq et al. [20] designed an ECC-based lightweight authentication framework for authenticating a user remotely.But when an attacker steals the smart card, which is the primary entity in their scheme, they can quickly launch stolen-verifier and ESL attacks on their security mechanism.Taher et al. [21] proposed a threefactor authentication scheme for a remote user for IoT using WSN.They used AVISPA for simulation, BAN logic for hash code security checking, and fingerprint for additional security.However, the offline password-guessing attack has been noted in their scheme because when an A chooses an identity, they can quickly become successful for limited guesses.
Challa et al. [22] presented a framework for a heterogeneous-based cyber-physical system using IoT.They argued that cyber attacks were challenging when the number of IoT increases for the physical phenomenon, and such challenges couldn't be detected easily.Employing an efficient security system makes anonymity, privacy, and secure information broadcasting more straightforward to tackle.However, a signature-based scheme is not feasible for resource-and power-limited IoT.Similarly, if an attacker has stolen the smart card of a system, they can quickly figure out the internal credentials from it.Therefore, the proposed scheme still needs to deliver secure services for the system.Wazid et al. [23] proposed an ECC-based authentication scheme for a smart home environment.Their scheme seriously tackled the issue of replay and clock synchronization attacks, which they have noticed in many security frameworks.However, in the second public channel transmission, the gateway node key (SK GS ) is transmitted openly, which the attacker can easily capture and identify many other credentials for DoS attack.Shuai et al. [24] proposed a robust remote monitoring authentication system using a symmetric key cryptographic method.The 1024-bit key is unsuitable for such a resource-limited and low-power IoT.
Oh et al. [25] presented a scheme for IoT-based smart homes.They used a lightweight asymmetric cryptographic method for designing their scheme.Their scheme has fantastically achieved its goals for the remote monitoring of intelligent gear installed in smart homes online through the internet.However, their scheme is unsafe against privileged insider and stolen verifier attacks because when an adversary steals the mobile device, the internally stored credentials can easily be identified and later used for malicious deeds.Ding et al. [26] designed a scheme using the fuzzy extractor method for securing user biometrics.However, their scheme is not safe against online/offline password-guessing attacks.
Kamble et al. [27] proposed a provable secure protocol for a tale-medicine information system using the chaotic map method.They have analyzed the security of their protocol through BAN logic and AVISPA simulation toolkit and claimed that their scheme has successfully preserved the privacy of users.However, using a chaotic encryption method, which is based on floating calculation, that in turn makes the hardware implementation difficult compared to AES and DES, which need integer operations.Meshram et al. [28] designed a scheme humancentred IoT system using the Quantum Chebyshev Chaotic (QCC) Maps method.They demonstrated that modelling analysis for IoT is much needed because of different human behaviour.Using encryption IoT can tackle the issue of human behaviour over IoT, but bilinear maps create hurdles while implementing these encryption-based security models.To mitigate this flaw, they have proposed the Quantum Chebyshev Chaotic (QCC) Maps method for the HC-assisted IoT system.However, due to using the Computational Diffie-Hellman [29] method for key exchange, their scheme is suitable for single-party authentication; when the number of participants increases, their scheme doesn't show efficiency.Another scheme [30] based on Fractional Chebyshev Chaotic Map-Based was also presented for the HC-IoT system.Upon going to check the protocol round-trips in the login authentication phase, it has been observed that in the first round trip, the identity is transmitted openly, which an attacker can catch and launch DoS and replay attacks later on.In [31], they used a digital signature technique for an HC-assisted IoT system.However, they didn't tell the reader about what type of verification their algorithm will perform, either one-to-one or bach.

Review analysis of baseline scheme
Recently, [17] proposed a novel authentication scheme based on the bilinear mapping technique.They have taken two groups, namely |G|, |G T |, and Z p *, of key sizes 1024, 1024, and 160 bits, respectively.They have designed their scheme using SHA-256, symmetric encryption/ decryption, and biometric Gen(.)/Rep(.)functions.Their scheme consisted of two phases, i.e., registration and login and authentication.The registration phase is accomplished at the following points: 1.The user selects identity MID i , and transmits it to the registration center.

The RC chooses r i , x i , computes TMID
x i } and transmits {TMID i , B i , h(.)} back towards the user smart card.
3. The user enters his/her PW i , generates biometrics BIO i , chooses n i , computes Gen , replace TMID i with TMID i * and injects {C i , Auth i , Gen(.), Rep(.), τ i ) in the memory of mobile smart card.
4. Now, the server first chooses identity and transmits it to the registration center.
5. The RC also chooses two orbitaray numbers r j , and x j , computes PSID j = h(SID j ||r j ), secret key of server K S = h(h(SID j ||K RC ), Q j = h(SID j ||x j ), F j = r j �Q j , stores {F j , PSID j , x j } and transmits {K S , r j } back towards the server for also storing in its memory.
The login and authentication phase of the scheme [17] takes the following round-trips to complete.These are as follows: 1.The user insert their smart card, provides MID i , PW i , generates BIO i / and computes Rep and transmits {r 1 / , B i , D 1 , D 2 , T 1 } towards RC over a public network channel.
2. The RC checks the time space T 1 -T c �ΔT,

Cryptanalysis of baseline scheme
Upon thoroughly analyzing [17], the following vulnerabilities have been noticed: 1) Prone to Privileged Insider Threat: Many random numbers are extracted in each round trip of the protocol, which has a big chance for privileged insider threats.Similarly, in the scheme [17], the parameters stored in the smart card are {C i , Auth i , Gen(.), Rep(.),τ i } in which a privileged user can select a random number r A , computes C A = r A �MID i , Auth i = MID i �C A and TMID A = MID A ||PW A �C A .After finding an identity, he/she can then easily launch a privileged insider attack.If we consider the same attack for the server, the credentials stored are {r j , K s }, whereas r j is a random number while K s = h(SID j ||s), which a privileged user can find easily.Therefore, [17] is prone to privileged insider threats.

2) Bias:
The protocol presented in [17] minimizes biometric demographic bias for such a resource-limited environment.The biometrics used in [17] demonstrate notable variations in their functionality while engaging with distinct user demographics; they are deemed to be biased.As a result, some user groups enjoy privileges while others suffer disadvantages.They didn't explain anything about bias and effectiveness in the user biometrics while authenticating or generating cryptographic keys.
3) Inaccuracy: The fuzzy extractor relies too much on expert knowledge and needs more capacity to gain insight from data.Therefore, the Gen(.) and Rep(.) functions can still have the chance of false rejection/accepting a legitimate user for entering the system credentials.The scheme presented is fuzzy extractor-based, in which a user authentication of biometrics is performed many times (fuzzy extractor is a challenge-response verification method), which causes heavy computation and communication costs.Also, a legitimate user can easily trace through biometrics/facial recognition/thumb extraction.
4) Stolen-Verifier Attack: Suppose an attacker steals the smart card and uses power analysis or reverse engineering techniques, A chooses two random numbers L A , L B computes M A = h (MID i ||L A ), B A = M A �h(L A ||L B ), obtain {B A , L A } which means A can reaches the identity and password, and then A uses it malicious deeds like launching replay, DoS, masquerade, impersonation, ESL, MITM, side-channel and other attacks.Therefore, a stolen verifier attack is possible on the scheme [17].
Considering all the drawbacks mentioned above, it has been concluded that [17] is a weaker scheme.

5) Tracebality, DoS and Replay Attacks:
In the login and authentication phase of the protocol, the first message transmitted from the mobile user towards the registration centre is M1 = {r 1 / , B 1 , D 1 , D 2 , T 1 }.This message contains server identity SID j , which an attacker can easily capture/identify in D 1 = SID j �h(TMID i ||T 1 ) and violate the system's privacy.Similarly, attacker can also use this server identity (SID j ) to launch replays and DoS attacks on the system.Therefore, the Wu et al. [17] scheme suffers from privacy issues and is vulnerable to traceability, DoS and Reply attacks.
6) Lack of Password Changing Phase: Despite using passwords by a user in the login and authentication phase of Wu et al.'s [17] scheme, they do not provide a facility for a legitimate user to change his/her password freely and securely.
All these vulnerabilities shall be mitigated by designing a robust, lightweight, and probable secure system for the teleworking environment.

System model
The proposed network model consists of a teleworking server (TS) that connects numerous Internet-of-Things (IoT) of the organization, a registration center (RC), and a remote-mobile user (MU).All the entities first register with the registration center (RC) over a reliable channel and then operationalize for the teleworkers in the teleworking environment.Suppose the RC is a fully trusted entity.In contrast, all other components, i.e., the Teleworking Server (TS) and mobile user (MU), may or may not be fully trusted, as shown in Fig 2 .These participants can be described as follows: • Registration Center (RC): It is responsible for registering all the entities within the organization (Teleworking server) or outside of the organization (remote/mobile user).
• Teleworking Server (TS): The teleworking server is placed between end-users and the IoT of the organization for data processing and broadcasting.Furthermore, TS provides reliable services with smaller latency to the remote user.
• Mobile-User (MU): It is either PCs, tablets, cell phones, or other network-enabled devices to get facilities prescribed by the teleworking server (TS) As discussed, the popularity of teleworking is growing daily, allowing people to work from anywhere, utilizing various mobile devices and Internet services.Teleworking boosts business efficiency, productivity, and expenses, but securely accessing information, operating Internet-of-Things (IoT) remotely, and maintaining privacy are challenging concerns that have yet to be resolved.As a result, this study developed a security method that can effectively alleviate the security and privacy risks associated with teleworking.We will focus on the following main points: 1. To design an architectural framework for a teleworker to utilize/access the resources remotely in the teleworking environment so that no one can weaken the remote access level.
2. To propose a security mechanism that resisted all known threats on the client side during teleworking and can guarantee secure communication.
3. To facilitate the teleworkers' secure communication for working without breaks, saving businesses' costs and managing time effectively.

4.
To facilitate the skilled individual to work without worrying about hacking, data leaking, and fishing so that they can feel more flexibility while working in the teleworking environment.5.The proposed scheme is without bilinear mapping, having no point multiplication exponentiation, and without symmetric encryption/decryption functions while offering excellent services to teleworkers.
6.The secret session key secrecy, confidentiality, and authorization have been verified formally using ROR/ProVerif and informally using illustrations.The result shows that the mechanism is robust and lightweight for such a vulnerable environment.

7.
To comparatively analyze the designed scheme with present schemes regarding computation and communication overheads.

Design goals
The following goals can be achieved by designing a security mechanism [32,33] for teleworking environment protection: • G1: Message authentication and integrity: mobile user/end-user (MU) mandatorily verifies the jurisdiction of the received message without being altered, modified, or forged by someone.
• G2: Confidentiality and Authorization: The request sent to the server or the response received by the end user must be confidential.No one can figure out its internal contents, and both peers must confirm the authenticity of each other and the message exchanged.
• G3: Conditional Privacy-Preserving: Except for the organization server, no other participants can trace the identity of the other participants.
• G4: Untraceability: Two sessions mandatorily will always start on a different key.Each session's key must differ from other sessions; otherwise, a malicious user can easily trace the legitimate user.
• G5: Physical Protection: Protection of the system from active and passive attacks means the system is protected physically.
• G6: Resilience to Insider Threat: The server is accessible from any storage table; anyone accessing the internal credentials must not extract helpful information from memory.The internally stored credentials will be available to the attacker in a non-readable format to avoid any future hazard to the system.
• G7: Mutual Authentication: Each peer must mutually authenticate before starting data broadcasting.Each participant can verify the legality of messages and identities from other entities.If the verification fails, there may be a forgery attack.
• G8: Perfect Forward Secrecy: The 160-bit long keys cannot compute session keys without knowing hash values.It means that the secrecy of the previous session is not forward secrecy affected, even if the A can identify the long-term secret key, but still, A cannot succeed for hashed and encrypted values.Therefore, the proposed key agreement protocol satisfies the perfect feature.
• G9: Resists Man-in-the-Middle Attack: The security mechanism must be able to detect intruders.Each round trip must contain a random check to avoid a man-in-the-middle attack.
• G10: Resists Denial-of-Service (DoS) Attack: Message freshness, randomization, and predetermined time threshold can deny any reply attack or DoS attack.

Threat model
This work adopted the threat model Dolev-Yao called DY-model [34].According to this model, an attacker has the following capabilities: • Attacker A can easily capture messages from the public network channel.
• Attacker A can modify the recorded message.
• Attacker A can delete the full or some part of a message captured from an open network channel.
• The attacker A can easily launch a reply attack.
• Attacker A can also divert the route of a message.
• Attacker A can guess different credentials from a publically transmitted message.
• An attacker A can steal the mobile device and obtain useful credentials using reverse engineering techniques.
• Attacker A might be a privileged insider sitting on the system.

Proposed protocol
The proposed protocol consists of registration, authentication, and password change phases.Each of these phases is described one by one as under, while the different notations used for designing the protocol are shown in Table 1.

Teleworking Server (TS) registration phase
This phase is accomplished in the following steps: TS1: The teleworking server first generates ID TS , and sends them towards the registration center.
TS2: The registration center (RC) generates its secret key s, random numbers r TS , x TS , computes A = h(ID TS ||r TS ), B = h(ID TS ||s), C = h(ID TS ||x TS ), D = r TS �C, store {A, D, and x TS }, and sends (r TS , B) back towards teleworking server over a private channel.
TS3: The teleworking, upon receiving (r TS , B), also stores it in its database, as shown in Fig 3.

Mobile User (MU) registration phase
This phase is completed in the following steps:

MU1:
The mobile user generates its identity ID MU and sends it toward the registration center over a secure path.
MU2: The registration center (RC) first chooses its secret values s random numbers r MU , x MU , computes A / = h(ID MU ||r MU ), B / = A / �h(s||x MU ), stores {A / , B / , h(.)} and transmits (A / , B / ) back towards the mobile user (MU) over a private channel.
MU3: When receiving (A / , B / ), the mobile user also stores it in its memory, as shown in

Login and authentication phase
The protocol's most essential and logical phase is the login and authentication phase.This phase is completed in the following steps.LA2: The RC, first checks the time interval with the maximum available time threshold T C -T 1 �ΔT; if it doesn't validate, the potential reply attack is considered; otherwise, checkB / ?= B / = A / �h(s||x MU ), it doesn't match, the process will be denied, else compute: J = F�h(ID MU || T 1 ), r 1 / = r 1 �h(ID TS ||ID MU ), G / = h(ID TS ||ID MU ||r 1 ||T 1 ), and confirms G? = G / , if becomes valid, the onward computation performed, otherwise, the process is terminated for potential DoS attack.The RC now retrieves A and selects T 2 and r 2 .Computes Q 1 = h(A||r 2 )�h(h

Password change phase
If the mobile user (MU) desires to change their password, the proposed protocol offers the facility of changing it securely.In this regard, MU enters their identity ID MU , password PW and calculates: A m = h(ID MU ||PW)�A, A /m = h(ID MU ||PW)�A m , chooses a random number

Security analysis
In this section, the security of the proposed protocol can be analyzed using the random oracle model (ROM) [35] and ProVerif2.03[36], which is also used by [18,21,26,28,30].These are described one by one as follows:

ROM analysis
A standard formal security analysis method, namely the ROM, is used to analyse the proposed protocol's shared session key between MU and RC and then RC and TS against an adversary A. For achieving this goal, we first will go for the semantic approach and session key security.The different queries executed by an adversary A are discussed below; however, the collisionresistant one-way hash function will also be one of the participants for A, which can be demonstrated as H A S H, so by keeping these, the ROR model performed numerous elements, including RC, TS, MU in which MU and TS are engaged for mutual authentication apart from RC which primarily involved in the registration phase of the protocol.Let TS identify the b 1 and b 2 instances of MU and TS correspondingly, also called random oracle instances.

1) Execute
A eavesdrop on their own message among the shared message between MU and TS using this query.
2) Corrupt ( Q b 1 MU ): A forge parameters from the memory of a compromised MU using this query.

3) Reveal(∏ b ):
A can disclose the secret session key SK between MU and RC, RC, MU and other participants using this query.

4) Test(∏ b ):
A can test by calling ∏ b to check the originality of SK, and ∏ b received should be random for A, and A will definitely be flipped a coin, say d (Accepted Instance); in such a case, the following three cases will happen. • TS mutual participation state 5) Semantic Security: Let A be fully authorized to run the Test(.)query and try to interfere P by polynomial tries.Individually, the three algorithms, i.e., Execute(.),Send(.), and Hash(.), are run in q E , q S , and q H .The Test(.) query once at most.Let l h be the length in a bit for a collision-resistant one-way hash function, and n ¼ 2 l h be the average length of hash operation for another transcript in P. Then the advantage with A in breaking P by polynomial times attempt can be expressed as: To pretend the different attacks on P, we justify through different games.The event Sus i A ð0 < i < 3Þ matching to these games means that A completes its goal in that specific game, which is defined one by one as under: Game 0: In this environment, A launch a genuine attack on P. To do so, the probability with A in cracking P is represented in Eq (1).
Game 1: In this environment, A launches Execute(.)and Test(.)queries for verifying the obtained results according to protocol's P transcripts (B / , r 1 / , F, G, T 1 ) which is related to session secret key SK.Conversely, due to random numbers for each round trip, A doesn't diagnose the relationship of (B / , r 1 / , F, G, T 1 ) with their obtained result through Test(.)query.However, the probability with A in identifying the relationship of P's transcripts is represented in Eq (2).
Game 2: Here A calculates the session secret key SK from the messages transmitted over a public network channel, i.e.SK = h(h(A||r 2 ||r 1 ||r 3 ||A / ), but due to using SHA1 of key size 156-bits, difficult for A; however, the probability with A in computing SK from the openly transmitted messages of P is represented in Eq (3).
Game 3: In this environment, A runs Execute(.)and Send(.)queries to launch a hash image collision attack.According to the birthday paradox [32], the risk of hash collision is . Therefore, the probability with A for hash collision in P is represented in Eq (4).
Similarly, in the random bit r2(0, 1), the probability with A of guessing the random number of P is represented in Eq (4).

Security model
This model consists of two peers-the Adversary A and-the Responder Ɽ.A communicate either mobile user (MU) or TS or RC, but we denote all of them a E ¨σ which means σ th instance of any of them either MU, TS or RC.A launches the queries, and responses received from Responder Ɽ are shown in Table 2.
• E ¨Sn means A impersonate MU, TS, RC by forcing r 1 or r 2 • E ¨Ns means A forges r 3 or r 4 from the participants • E ¨SS means A overcomes the semantic security of the protocol.

ProVerif2.03 simulation
This is a formal security analysis method in which we will check the key's robustness, key's secrecy, confidentiality, and reachability; a programming verification toolkit ProVerif2.03[36] is in S1 Appendix of this article.However, upon running the code, the result shows that the attacker couldn't crack the secret session key at any computation stage.The status of SK is secure, and its confidentiality and reachability are preserved as shown under: ----------------Verification summary:
Setup: By running this query, the challenger C returns the obtained parameters to A.

h(Message k ):
The challenger C stores a L hx , querying h(Message k ), extract r k 2 Z* p and record the result {Message k , r k } in L hx ; if Message k is not found, again stores the result in L hx and return r k to A.

MAC(k, Message k ):
The stored list L Mx with C comprising of different tuples in the form of MAC(k, Message k , M), C querying MAC(k, m k ), extract M 2 Z* p and store {k, m k , M} in L Mx , if not found, return M to A.

Send(Ë σ , M σ ):
The challenger C sends this message towards the proposed authentication protocol and communicates the output received with A.

Execute(MU, RC):
The result obtained by C while using his query is r 1 , r 2 and shared with A.

Execute(RC, TS):
The result from this query r 3 , r 4 is shared with A.

Reveal(Ë σ ):
The challenger C yields the present secret session key SK with E ¨σ and A.

GNY logic analysis
The GNY logic [37] is a formal method of security analysis which Gong-Needham-Yahalom first introduced for the formal proof of a security protocol.The different formulae and statements used in this logic are shown in Table 3.Now, we are using GNY logic for the proposed protocol and make assumptions which are as follows: Table 3. Formulas and statements used in GNY logic.

Formula/Statement Description (A, B) Combining A with B h(A) Hashing of A *A:A
A is not initiated here We transformed the proposed scheme to P!Q: (X) from fill-in GNY logic and made some changes to notations.Using GNY logic, the proposed scheme can be represented as: The mobile user keeps ID MU , and PW MU in its memory and can extract r 1 during computations, so by applying the GNY logic and Eq (7), we have Eqs ( 12) and (37), we have Eqs ( 17) and ( 38), we have Eqs ( 37) and (39) become: Eq (41) becomes: Keeping Eqs (42) and ( 43), and the credentials checking by mobile-user in which each part/ parameter of the message passed/verified to and from RC, as shown as under: Keeping Eqs (46) and (47), and the credentials checking by teleworking-server in which each part/parameter of the message passed/verified to and from RC, as shown under: From Eqs (44) and (45), we have: From Eqs (48)-to-(51), the same for RC, as RC has full control over the message in, From Eqs (52)-to-(56), again for RC because the RC has complete control over the message in, Like RC (Eqs (57)-to-(62), we will use the GNY logic for a mobile user, as MU also sees , so, we have :

Informal security analysis
Assume an adversary A has complete control over the open network and can intercept, manipulate, delete, or update the communication transmission between participants.Then, there's how the presented authentication system will withstand identified weaknesses.In this section of the study, we shall address such assumptions one by one as follows: 5.5.1 Resists side channel attack.The presented security mechanism is generally less dependent on key numbers, strongly validates the main attributes at various steps, and calculates a different secret session key for each session, which leads to the sequence of operations changing for another session.Similarly, the availability of timestamps at each round trip of the protocol and the exchange of random numbers differently for the different sessions means that the proposed security mechanism efficiently withstands a side-channel attack.

Resists insider attacks.
The registration center (RC) first picks a random number s of size 160-bits, r TS , x TS , then concatenates it with the identity of a mobile user or teleworking server to quickly calculate the secret session key.The hash code generated is a collision-free and non-readable format, so the A cannot, at any stage, identify the identity or password from stored values.Similarly, the messages exchanged among participants are changed for upcoming sessions; if an A gets access to the internal credentials, their attempt fails due to choosing large random numbers by each peer, complex calculations, and arbitrary computation of the secret session key.Therefore, the teleworking environment security mechanism resists insider threats.

Resists stolen-verifier attack.
Suppose an attacker A steals the mobile device, embezzles personal values from the teleworking server's memory and attempts to figure out the identities or passwords.In that case, they will fail because the proposed security mechanism is based purely on large random numbers and SHA-1.Due to the large random numbers r 1 , r 2 , r 3 , r 4 , r 5 , s, x TS , r TS for every session key and the linkage of these numbers with the identity/password, A cannot succeed.Therefore, the proposed scheme withstands a stolen verifier attack.
5.5.4Resists man-in-the-middle attack.Suppose an A attempts to modify, discard, update, copy, or divert the exchanged information between MU!RC (B / , r 1 / , F, G, T 1 ), RC!TS (r 1 / , A // , Q 2 , Q 3 , T 2 ), or TS!RC (r 3 / , Q 4 , Q 5 , T 3 ), RC!MU (r 3 / , Q 5 , Q 6 , Q 7 , T 4 ) and the peers believed that some malicious entity acted, then promptly stop the establishment of secure session key.But to do so, the A doesn't know the 160-bit long random numbers r 1 , r 2 , r 3 , X MU , r MU , x TS , r TS , so any illegal attempt will promptly be detected due to randomness in the exchanged information.Also, the recorded time threshold for each round trip and message confirmation can ensure mitigation of man-in-the-middle attack.Any independent connection establishment by any third party, the secret values which are not known to anyone, identities and random numbers can mitigate/cater to malicious deeds (man-in-the-middle attack, etc.) in the proposed lightweight authentication and key establishment protocol.Therefore, our proposed scheme is safe against man-in-the-middle attacks.
5.5.5 Spoofing attack.Suppose an A desires to succeed in sending false messages to a teleworking server (TS).In that case, they will fail due to verifying a pre-defined time threshold in each round trip.Also, other checks for different messages like G = h(ID  .This means that the secrecy of the secret session key is strong in the proposed security mechanism.64-bits of random numbers r MU , x MU , r 1 , he/she cannot extract password from the stolen mobile device or illegal internal entry.Also, the proposed protocol has many checks at different round trips and can also deny any illegal attempt of an A for guessing online/offline password guessing attacks.Therefore, the proposed protocol resists password-guessing attacks.5.5.9Untracebality.The user in the proposed protocol is untraceable because the messages transmitted over a public network channel cannot be revealed to an attacker.For example, if an attacker desires to find the identity from these messages {B / , r 1 / , F, G, T 1 }, {r 1 / , A // , Q 2 , Q 3 , T 2 }, {r 3 / , Q 4 , Q 5 , T 3 }, {r 3 / , Q / 5 , Q 6 , Q 7 , T 4 } they have to pass from many complex calculations.Also, the timestamp, random nonce and 64 bits of long key are concatenated with the identity, and the attacker couldn't figure out any useful information from any of the messages exchanged over public channels.Therefore, the proposed protocol provides the facility for the user to be untraced and secure, and their privacy could be preserved.

Physical protection.
If someone wants to avail of the facilities using the proposed protocol must pass the registration phase.Suppose some culprit captures any legitimate user or mobile device and tries to find valuable credentials from it.The culprit must compute A = h (ID TS ||r TS ), B = h(ID TS ||s), C = h(IDTS||x TS ) and D = r TS �C for the mobile device, and A / = h (ID MU ||r MU ), and B / = A/�h(s||x MU ) for the teleworking server; which is absolutely not possible.Suppose someone finds useful credentials, like key, identity, or any other parameter, they cannot establish a connection with the system due to the dynamicity of each message, and such an attempt could promptly be highlighted to the organization, and no peer can negotiate with an illegitimate third party at any stage.Therefore, the physical protection feature is available in our scheme.the proposed security mechanism is robust against DoS attacks.5.5.12Perfect forward secrecy.We have a user password change phase, in which a legal user can easily, securely and efficiently update their password without interacting with the TS or RC, which means the proposed secure framework offers high scalability and deposits the RC.It means any change in the stored credentials could be submitted to RC and alternately to all peers.So, upon computing the session key, all the credentials can be secretly changed from the user side to the server.This prominent feature is available in the proposed security framework.

Performance and comparative analyses
The performance of the proposed protocol can be measured by considering computation and communication costs.These are as follows:

Computation costs analysis
Suppose T E is the time consumed when a random number is extracted, T h is the time for a collision-free one-way hash function, and T XoR is the time of XOR operation, as shown in Table 4 and diagrammatically is shown in Fig 7 .According to [38,39], the different times for different cryptographic operations are as follows: • Computation time for extracting random numbers T E = 2.011ms • Computation time for one-way hash function T h = 0.09ms

• Computation time for bit-wise XOR Operation T XoR �0ms
It is worth mentioning that only the cost calculated in the login authentication phase can be considered as computation costs, which is 6T E +42T h +18T XOR = 6(2.011)+42(0.09)+0= 12.066 +3.78 = 15.786ms, while the computation costs of registration phase should be discarded.

Communication costs analysis
The , Q 5 , Q 6 , Q 7 , T 4 }.According to [38,39], identity takes 60 bits of space, timestamp 56, random number 64 bits, and one-way to function is 156 bits of memory space; then the communication costs of the proposed protocol in bits are shown in Table 5, while diagrammatically as shown in Fig 8.

Comparative analysis
By comparing the proposed protocol in terms of extra security features with Chall et al. [22], Wazid et al. [23], Shuai et al. [24], and Oh et al. [25], which is shown in Table 6.The result shows that our protocol is resisting all the design goals discussed in section II of the paper.
Similarly, to compare the proposed scheme with Xia et al. [7], Wazid et al. [23], Ding et al. [26], and Yang et al. [40] in terms of computation and communication costs, as shown in Table 7.The results show that the proposed security mechanism is lightweight, fast, secure, and suitable for practical implementation in the teleworking environment.The comparison in   Furthermore, the proposed protocol has better performance than its competitors, i.e.Xia et al. [7], Wazid et al. [23], Ding et al. [26], and Yang et al. [40].The percentage improvement of the proposed protocol with the mentioned schemes is shown in Table 8.
Table 8 argued that the proposed protocol is 8.94% better in communication costs than the Xia et al. [7] scheme, 20.66% from the Wazid et al. [23] scheme, 34.4% from the Ding et al. [26] and 33.22% from the Yang et al. [40] scheme.The maximum improvement in communication costs is 34.4%, and the minimum is 8.94%.Similarly, the percentage improvement of our scheme in terms of computation costs is 73.17% with Xia et al. [7], 66.09% with Wazid et al. [23], 3.89% with Ding et al. [26] and 66.49% with Yang et al. [40] scheme.The maximum improvement is 73.17%, and the minimum is 3.89%.It is keeping in view that our scheme is superior to its competitors.

Conclusion
Nowadays, people prefer remote work through the Internet (teleworking environment) instead of visiting physically.Such an environment is prone to numerous security issues like eavesdropping, unavailability, masquerading, replay, DoS, etc., and attacks.To make it prone-free, we have, in this article, proposed a lightweight and robust authentication protocol for those continuously using the Internet for remote monitoring of official work and securely authenticating before starting work.We have used SHA1 for the design of a protocol that is lightweight, robust in security, and offers efficient services to all the participants.We have tested the security of the proposed authentication protocol through a well-known formal technique, ROM analysis, programming verification toolkit ProVerif2.03,and informally via programmatic discussions.The performance analysis of the proposed security mechanism has been evaluated by considering computation and communication costs.Upon comparing the proposed mechanism with the existing security schemes in terms of security features and performance metrics, it has been demonstrated that the proposed protocol achieved a maximum of 34% improvement in computation and 73% improvement in communication costs and resisted all known vulnerabilities and can be implemented practically in the teleworking environment.
In the future, the proposed security scheme can be designed using blockchain technology, and the simulation part can be conducted through a network security simulator (NeSSi).

Fig 5 .
Fig 5. Login & authentication phase.Remark: The clock synchronization issue can be addressed by configuring each participant to the global clock so that it will establish the start and finish time slot as well as correct the offset and drift rate of the participants' clock w.r.t global time.https://doi.org/10.1371/journal.pone.0298276.g005

Fig 6 .
Fig 6.Password change phase.https://doi.org/10.1371/journal.pone.0298276.g006 A believes S K is the secret session key among A and B P|)A P control A P⊲*A P sees A, which hasn't been delivered previously for the current session https://doi.org/10.1371/journal.pone.0298276.t003TS 3 #r = 3

1 /
messages transmitted during the login and authentication phase among different participating entities are {B / , r